Since Friday of this week (August 20), there has been a massive wave of attacks on unpatched on-premises Exchange servers in versions 2013 to 2019. The attacks use the so-called ProxyShell vulnerability. Security researchers observed the takeover of over 1,900 Exchange systems by installed WebShells within 48 hours. The CERT-Bund issued a security warning on Saturday (August 21).
Known combination of several vulnerabilities
That is a failure with an announcement: At the beginning of August 2021, the security researcher Orange Tsai presented new methods of attack on the on-premises Exchange servers as part of the BlackHat 2021 hacker conference. At the end of the first week of August, the first scans of the Internet for vulnerable Exchange servers became known. A combination of three vulnerabilities enables remote attacks via ProxyShell exploits on systems that have not yet been hardened by updates against these vulnerabilities and that can be accessed remotely via the Internet: CVE-2021-34473 (classified as “critical”), CVE-2021 -34523 (also “critical”) and CVE-2021-31207 (“medium”).
The Shodan search engine identified 240,000 Internet-accessible Exchange servers worldwide, 46,000 of which are said to be vulnerable. In Germany, around 50,000 Exchange servers accessible via the Internet are reported, of which over 7800 are vulnerable to a ProxyShell exploit.
Almost 2000 infected servers in 48 hours
The security researchers at HuntressLabs have also followed the massive wave of attacks and are sounding the alarm. In a blog post for August 2021, the security researchers list five different types of WebShells that are used on vulnerable Microsoft Exchange servers via the ProyShell attack vector. The attackers use the WebShells to obtain increased rights and a back door for access to the system.
Within 48 hours, over 1,900 unpatched Exchange servers with over 140 WebShells were infected via the ProxyShell vulnerability worldwide. Exchange Server 2013, 2016 and 2019 are affected, whereby the WebShells are given random names. The people behind the LockFile cyber gang are also trying to attack and encrypt vulnerable Exchange servers with their ransomware.
Safety expert Kevin Beaumont has brought together the latest findings in a contribution to doublepulsar. Among the companies affected so far, HuntressLabs lists construction companies, seafood processing companies, industrial machines, auto repair shops, a small local airport and other companies.
Patches available since April 2021
Microsoft closed the vulnerabilities used for the ProxyShell attacks with security updates for April 2021. For weeks, administrators have been asked to update the on-premises Exchange servers they are looking for to the latest patch status. In addition, it should be ensured that the Exchange servers cannot be accessed unintentionally and unsecured via the Internet.
Those who have not yet patched could already be infected with a shell as a backdoor on their Exchange systems. Subsequent patching does not remove these backdoors and infections. Heise Security has described how to find information about infections and how to secure your systems.
Beaumont has published a ProxyShell script for the nmap scanner that administrators can use to test their own Exchange servers for vulnerability to ProxyShell attacks. In addition, Florian Roth has published new Sigma rules for the SIEMS system for ProxyShell attacks.